September 04, 2012
Intellectual Property, Litigation Alerts

Avoiding Trip Wires: Complying with Requests for Electronically Stored Information
by Lisa P. Tse

When responding to information requests, whether in the form of a subpoena, warrant or a private party request, companies in possession of electronically stored information must ensure compliance with the Electronic Communications Privacy Act (“ECPA”).  Companies that provide communications or electronic information storage services to customers should be particularly wary of ECPA.  ECPA is federal statute intended to protect communications and records held in electronic storage from improper disclosures.  ECPA is a complicated statute.  In fact, courts have repeatedly highlighted ECPA’s complexity, describing the statute as being “famous (if not infamous) for its lack of clarify”[1] and that it is “fraught with trip wires.”[2]  Nevertheless, failure to comply with ECPA can result in civil and/or criminal liabilities for improper disclosure of information.  Below are several factors to consider before responding to requests for electronically stored information. 

(1)        What Information is Being Requested?

ECPA distinguishes between content-based and non-content based information, and it provides stronger protections for content-based information. 

  • Content-Based InformationExamples include voicemail messages, the body of a text message, the body of an email and the subject line of an email.  Generally, content-based information may not be disclosed with a warrant or subpoena. 
  • Non-Content Based Information.  Examples include the header of an email (including the “to” and “from” line), the name and address of a customer or subscriber, billing information related to a subscriber, a customer’s bank or payment information and any transactional records of a customer, client or subscriber.   Generally, requests for non-content based information do not require a warrant or subpoena.  Appropriate consent (discussed below) and an administrative subpoena may be sufficient to comply with ECPA. 

(2)        Who is Requesting the Information?

ECPA also distinguishes between requests by government agencies and requests from everyone else.  In general, ECPA sets a higher burden on the government to prove that requests for information are based on legitimate need.   Civil subpoenas or private party requests are not subject to the same higher burden.

  • Government Entities .  ECPA tends to limit the government’s access to electronically stored infromation. There are substantially more procedural limitations governing government requests for electronically stored information.
    o       In general, content-based information may not be disclosed to a government entity without a warrant, subpoena or court order.  Note that ECPA also provides stronger protections for content-based information stored in an electronic system for less six months.
  • Civil Requests. ECPA does not set forth specific limitations on the disclosure of non-content based information to non-government entities.[3]   However, content-based information may only be disclosed with the consent of the appropriate party, which is further discussed below.   

(3)        Whose Consent? 

For certain types of electronically stored information, the consent of the appropriate party is sufficient to comply with ECPA. 

  • Content-Based Information.  Content-based information may be disclosed with the consent of an originator, addressee or intended recipient of a communication.[4]  Note the consent of the customer or subscriber of the disclosing company is not always sufficient (although usually the customer/subscriber is the same as the originator, addressee or intended recipient).[5]  For example, when disclosing the body of an email, the appropriate consenting party includes the individual sending the email, the individual receiving the email, or the individual whom the email is addressed to.  A company’s customer or subscriber of services may not always be the individual sending, receiving or the addressee of the email.   
  • Non-Content Based Information.  Unlike content-based information, the consent of the subscriber and/or customer to disclose non-content based electronically stored information is in compliance with ECPA.[6]  Additionally, like with content-based information, the consent of an originator, addressee or intended recipient is also acceptable.[7] 

(4)        Exceptions for Emergency Situations. 

Despite the requirements discussed above, ECPA allows for the voluntary disclosure of electronically stored information in the event of an emergency situation.  Electronically stored information may be disclosed if the disclosing party believes in good faith that an emergency involving danger of death or serious physical injury to any person. [8]

These and other considerations must be carefully examined when responding to requests for electronically stored information in order to properly comply with ECPA. 

[1] Steven Jackson Games v. United States Secret Service, 36 F.3d 457, 432 (5th Cir. 1995).

[2] Forsyth v. Barr, 19 F.3d 1527 (5th Cir. 1994). 

[3] 18 U.S.C.A. § 2702. 

[4] 18 U.S.C.A. § 2702(b)(3)

[5] See Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (2008) (rev’d on other grounds).  In Quon, the court held that the consent of an employer-subscriber was insufficient where the information requested involved text messages (content-based information) of an employee.  To fully comply with ECPA, the consent of the originator, addressee or intended recipient of the text messages was required. 

[6] 18 U.S.C.A. § 2702(1)(3)

[7] 18 U.S.C.A. § 2702(b)(3)

[8] 18 U.S.C.A. § 2702(c)(4). 
Back to Alerts